The Proxy ARP method of routing subnets to solve the docker networking problem

Recently I discovered something called Proxy ARP. I had seen this earlier in sysctl options but never understood it and why would someone need it, until one day I worked in a networking setup which used this to route traffic from the machine to the Internet. It’s an interesting technique and can solve a big problem when you want to use the currently popular tool, docker in your LAN subnet that has DHCP without having to do some other stuff like port forwarding when trying to give access to others.

In the standard setup, docker will create a bridge for itself which goes by the name docker0 and it will have a private IP address in the class B private range. It is indeed possible to specify the subnet for your docker containers, so let’s say my LAN subnet is (i.e. which gives me IP addresses from to When I previously did that with docker (I’m not sure whether it does the same now), if you give it such a subnet it would start assigning ip addresses from the first address available in the subnet, i.e. That’s a recipe for a disaster, because the first ip addresses of any subnet always tend to be routers and you definitely do not want a docker container hoarding your router’s ip address.

So I came up with this – let’s configure the DHCP server of the router so that it does not allocate any ip address after even though our subnet does support I’ll use (i.e. as my docker subnet. I have an ethernet interface on my machine (i.e. the machine on which docker runs) and it has an ip address of (as you can see here, the subnet is the original one). I don’t have to bridge the NIC to the docker bridge nor do any mess like static routing.

Next, I change three parameters in sysctl:

sysctl net.ipv4.conf.eth0.proxy_arp=1 
sysctl net.ipv4.conf.docker0.proxy_arp=1
sysctl net.ipv4.ip_forward=1

Once docker starts up, it will assign for the host itself and then assign the rest of the ip addresses to the containers one by one as you go. If I ping from any other machine on the LAN, it works. Similarly I can ping any machine in the subnet from inside a docker container.

To understand why this works, we need to go back to the data link layer. Whenever a frame is to be transmitted to a machine, the sending machine needs to look up the physical or MAC address of the destination machine. This is done using ARP (Address Resolution Protocol). Let’s say I send a packet from to, and as per our networking setup, is included in the subnet. So will now send a broadcast on the networking asking for the MAC address of the IP address Since we have enabled Proxy ARP in the kernel, my machine replies to the ARP broadcast with its own MAC address (here it doesn’t matter what MAC address your container has). Now the frame from will come to my machine and after reaching my machine, the routing happens to So basically, this is ARP proxy with split subnet. We just split the large subnet into two, one in which all other machines exist and another in which docker containers exist.

Now you might ask what is the advantage of this over static routing? The answer is, this does not require any kind of configuration like static routing, port forwarding or NAT. The IPv6 version of this is NDP (Neighbor Discovery Protocol) proxy.

It is indeed possible to add your NIC to the docker0 bridge and not require any such stuff, but then when you have mixed applications like running the machine as a KVM host in addition to Docker host, things can get easily complicated when this comes as a rescue for me.

2 Comments on “The Proxy ARP method of routing subnets to solve the docker networking problem”

  1. Neat trick.. Is there a way to allocate static IPs when docker containers restart.. if so, with this trick a small PaaS setup can be done easily.


    • It seems there’s no direct option for this, but previously I managed to have the NET_ADMIN capability in a container and set ip address from inside the container. It’s a little bit of security risk though.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: